‘I guess everybody is going to know what kind of porn I like.”
Not something one hears at a lot of business meetings, but the guy had a point: We were in the middle of DEF CON, the annual hackers’ convention in Las Vegas, and he had broken the cardinal rule: Never use the Wi-Fi. Nearby, the user names and passwords of the unwary were displayed for public amusement on the Wall of Sheep. The scene is High Hacker Camp, a carnival of nerdery overseen by a fellow who calls himself “Dark Tangent.”
The gray men from Washington want to be here — they need to, really — and they’re making nice after having been disinvited from the 2013 convention in protest of the prosecution of Edward Snowden. The Federal Trade Commission, which has become the de facto federal police department for consumer-privacy violations, underwrites DEF CON contests, and DARPA, the Pentagon’s mad-scientist venture-capital division, is a convention regular. Representative Will Hurd (R., Texas) is here, too, talking about the hijacking of vast quantities of personal data, ranging from background checks and financial information to fingerprints, from the poorly secured network operated by the federal Office of Personnel Management (OPM). Hurd, a former CIA agent and a partner in a cybersecurity firm, is here looking for help. The best way to defend against hackers, he tells a Motherboard reporter, is to have a hacker mentality.
Or to have the hackers. Dark Tangent? His real name is Jeff Moss, and he sits on the Department of Homeland Security’s advisory council.
Talk of the OPM hack has been twittering through official Washington for months as federal employees, contractors, and people who simply applied for a government job once upon a time share news of getting “the letter,” a note from Uncle Stupid informing them that their files are among those compromised by the hack. There’s something kind of beautiful in the government’s using 18th-century technology — the U.S. Postal Service — to inform its employees and would-have-been employees that it cannot handle anything more advanced.
Hack victims are being offered a year’s worth of free identity protection and credit-monitoring services, which many have characterized as inadequate. There have been episodes of identity theft, credit-card fraud, and the like — the letter specifically disclaims government liability for any of that, of course — but for the vast majority of federal workers it will be impossible to know whether such misfortunes are related to those OPM files. “The ineptitude and lack of accountability rankles,” says one federal worker, who adds that he mostly worries about possible criminal use of his information — he doubts that he and his wife are big enough fish to be targeted by foreign intelligence services. “Since we’re nobodies, any consequences for us will be remote enough that we won’t be able to definitively trace them back to OPM — that lack of accountability, again.”
Christopher Minakowski got his letter, too, but he is taking things in stride. “I know I should be more concerned than I am,” he says. One of the reasons for the former Hill staffer’s relative nonchalance is that before the OPM news came he already had been involved in a series of security failures in the private sector — Home Depot, Target, and a health-care provider — without much consequence. But he had a federal security clearance, which means that there’s a lot more sensitive information in his OPM file than on his Home Depot account. “I’m sure tomorrow my Social Security number, my American Express number, and a forgotten video of me insulting disabled kids will show up on the screen in Times Square.”
But of course the ChiComs — and everybody knows it was the ChiComs, and everybody knows that everybody knows it was the ChiComs, which made Xi Jinping’s cretinous wan little grin as he shook hands with Barack Obama and announced a new cybersecurity agreement in September all the more unbearable — didn’t hack the OPM because they wanted to run up bills at Armani Exchange on some unsuspecting bureaucrat’s gold card. Their agenda is espionage, blackmail, extortion, and murder. They were looking for, among other things, Standard Form 86, “Questionnaire for National Security Positions.” OPM bosses dissembled to the public, to Congress, and to journalists about whether that information had been accessed, but almost certainly it was. SF86 provides those hackers with what one security expert describes as a “phone book” of federal employees with access to sensitive information. The phone numbers are indeed there, but a lot more is, too: who your neighbors are, where you went to high school, whom you roomed with in college, foreign countries you’ve visited, connections you or your family may have abroad, etc. If you’ve got a mother-in-law in Shanghai, Beijing knows, which might be of some concern to you if you are engaged in diplomacy or trade negotiations — or espionage.
It’s the world’s greatest blackmail file.
If you think you’ve seen this movie before, you have: It was the plot of Brian de Palma’s Mission: Impossible. You might remember that terrific set piece where Tom Cruise dangles from the ceiling in a harness when he has to break into CIA headquarters to retrieve a top-secret list of intelligence operators. Remember why he had to do that? Because the imaginary federal government wanted to keep its employee data secure, and for that reason the computer holding the data was physically isolated from any network — if you’re not on a network, you can’t be hacked remotely. But the real-life federal government isn’t as good as the cinematic one — in real life, this stuff is connected to the Internet. If you should read the Pentagon’s support literature on Scattered Castles, the intelligence community’s in-house database of security clearances (which may itself have been compromised in the OPM hack), you might be amused to learn that “the Scattered Castles web application will only support the following internet browsers: Netscape 7.0 or higher.” Netscape.
“This info should have been sequestered from any open network, much more the public Internet,” Minakowski says. “Also, the fact that the Chinese seem to have had access to the database for a year is insane — I’m sure at some point they thought it must have been a honeypot, because the level of malpractice was so staggering they couldn’t have believed it was real.”
The Obama administration is sticking to its line that this was a criminal endeavor rather than an act of war — that Beijing wouldn’t “deploy resources to get the Social Security number of clerks at the Commerce Department,” as Rob Knake, formerly of the National Security Council, put it. Once again, though, real life isn’t like the movies. Intelligence agencies spy on one another all the time, but that’s a relatively high-cost/low-return exercise: It is in reality difficult to blackmail or extort intelligence operatives, because they are trained to deal with that sort of thing and because their agencies constantly are on the lookout for it. The day-to-day stuff is more along the lines of tricking a manager at the Treasury Department out of his systems-administrator password with a phishing scheme, or, as our own CIA has been known to do, collaborating with friendly local police to blackmail corrupt officials who do not know that their crimes already are known to the authorities (see Joseph Burkholder Smith, Portrait of a Cold Warrior). And for that, the sort of information compromised in the OPM hack is very valuable.
Worse yet, the hack also compromised fingerprint files, which could be used to defeat biometric security devices.
Representative Hurd argues that identity-theft hacking is “bad enough,” but worries more about “the grave impact of the theft of information belonging to those who are tasked with protecting America’s most sensitive information.” Accordingly, he has introduced the Einstein Act of 2015, currently marinating in committee.
The Einstein Act would allow for the broader use of something called the Einstein 3 Accelerated program — E3A, as it is known — an interesting tool for detecting and combating hacker attacks. E3A examines Internet traffic to and from the vast and varied world of .gov and looks for patterns and anomalies, flagging and blocking traffic thought to be hostile. But it is a tricky business, because it involves the use of information that is classified or else “could be considered PII” — that’s “personally identifiable information,” and it’s an automatic red flag for privacy concerns. The DHS report on the related privacy concerns predictably argues that, while your personally identifiable information (say, an e-mail address or a telephone number) could make its way into a spook database, it isn’t really personally identifiable information if the spooks aren’t spying on you per se: “DHS uses the phrase ‘information that could be considered PII’ because . . . in the context of E3A, these types of information are not used to identify an individual; instead, they are used as a reference point for particular known or suspected cyber threats.”
E3A probably will help, but it isn’t going to be enough, and Hurd himself is quick to dismiss the notion that there exists a “silver bullet” for data security. The fundamental problem with data security is the fundamental problem with practically everything else in Washington: bureaucratic inertia combined with deficient institutions and insufficient oversight. Hurd complains that federal agencies year after year get reports from their inspectors general informing them that their computer networks are not secure, and year after year do approximately nothing about it — something the FTC would hand down multimillion-dollar fines over if these were private enterprises rather than government agencies. It isn’t the technology, it’s the people. When Senator Ron Wyden (D., Ore.) sent National Counterintelligence Executive William Evanina a letter demanding to know what our counterintelligence guys were up to as regards the pressing counterintelligence matter at OPM, he got back a short reply reading, in essence, “Not our job.” In the original bureaucratese: “The statutory authorities of the National Counterintelligence Executive . . . do not include identifying information technology (IT) vulnerabilities to agencies.”
The smart money’s on the Chinese hackers.